TMG and BigFix BESClient

No series of posts would be complete if I didn’t relate it back to my new fabulous job some how…

The Microsoft Threat Management Gateway is secure by default.  This means everything you want to do or rather connect to online must be configured properly within the TMG console.  The BigFix Enterprise Client is no different.

By default the BigFix infrastructure communicates on port 52311.  Therefore we must let TMG know that we’d like our clients to talk over this port.

Below is a graphical step by step on how this is done:

1. Lets start by creating a new row…

ForeFront TMG->Firewall Policy->Tasks (tab)->Create Access Rule

1

2. Of course we’ll be Allowing this port to communicate

2

3. We’ll be creating a brand new protocol… so hit Add then in the Add Protocols window click New->Protocol

3    4

4. Name your protocol…

5

5. We’ll be adding the BigFix TCP port 52311 here… (You may have deployed via a different port… specify your custom BigFix port here…)

6  7   8

6. We have no secondary connections that are needed… so click next and hit finish

9   10

7. Next we will expand the “User-Defined” branch and choose our “BigFix Communication Protocol” we just defined and hit Add->Close->Next

11  12

8. Specify who is allowed to communicate… Source which should be your internal network.

13

9. And specify our destination which in my case I am setting up a secondary site and all these clients will communicate with my BigFix Root server somewhere else on the internet.  (later on I’ll setup a relay on one of the computers at this location and adjust TMG firewall rules.)

14

10.  Because BigFix is my main management for all my computers, I want every computer to have permissions to communicate via this port… so I’ll leave the default “All Users” here… Next->Finish

15   16

 

We’ll probably want to make sure this is our first firewall rule so it is not interfered with by some other rule.  After hitting finish it should look like this:

17

Lastly we’ll need to “Apply” this new rule set in order to get things working.

18

Advertisements

CentOS 5 and the BigFix Client

Installing this was a bit more difficult compared to the easy as pie SuSE and the Fedora 14 installs…

Following the instructions for the RedHat install, but downloading the CentOS client from the BigFix website (http://support.bigfix.com/bes/install/besclients-nonwindows.html)

Couldn’t get it to start and unlike Fedora 14, I received no indication as to what the problem was…
After solving the Fedora 14 install problem, I figured I’d try the same solution and I was successful…

Using the “setsebool -P allow_execstack 1” command, i was able to get it working finally… see (https://danielheth.com/2010/11/13/red-hat-fedora-14-and-bigfix-client-software/) for details.

Also reference (http://forum.bigfix.com/viewtopic.php?pid=25813#p25813) for additional information…

Red Hat Fedora 14 and BigFix Client Software

Finally got the client working on my Fedora 14 test box…

basically following the instructions on the bigfix website: http://support.bigfix.com/bes/install/besclients-nonwindows.html

Ran into a problem with the basic instructions though… a fresh install of Fedora 14 apparently has additional restrictions and would not allow the libBEScrypto library to function properly… i got the following error while attempting to launch the BESClient:

[root@fedora1 BESClient]# /etc/init.d/besclient start Starting BESClient: /opt/BESClient/bin/BESClient: error while loading shared libraries: libBEScrypto_1_0_0_1.so: cannot enable executable stack as shared object requires: Permission denied
[FAILED]

As it turns out the solution was simple… and i’m working via the BigFix forum thread (http://forum.bigfix.com/viewtopic.php?pid=25812#p25812) to explain to me why it worked… but basically to get the client started and working I had to run the following command:

setsebool -P allow_execstack 1

then using the “/etc/init.d/besclient start”, the client started right up…